Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.


Messages - cr4zi8

Pages: [1] 2
1
High Quality Tutorials / Re: SSOSXTT II - Ghetto Privilege Escalation on OSX
« on: January 04, 2016, 08:36:59 pm »
The only thing i can say about this would be it is great for a server or whatever but an average user will rarely open terminal and sudo so this is really only applicable if you are targeting something that receives a fair amount of sysadmin attention.

2
General discussion / Re: Current Careers & Aspirations
« on: December 28, 2015, 10:27:14 pm »
Quote from: Phage on December 28, 2015, 10:09:00 pm
I do a few things.

#1 I'm currently employed as IT-project manager in a decent company. Currently working on getting two web shops ready for post-christmas sale and developing a payment solution with BTC to our eCommerce software.

#2 Styding Informations Technology at university.

#3 F16 simulator instructor. These are military grade simulators.

#4 Tacher in a youth club. This job is two evenings a week, where I mainly hang out with the kids, play some playstation, table tennis etc.

Do you take speed so that you dont have to sleep or what?

3
General discussion / Re: Current Careers & Aspirations
« on: December 28, 2015, 08:18:06 pm »
I am student that does studenty things in high school. I would definitely like to work somewhere in the security industry. I quite enjoy vulnerability analysis and exploit development and have focused there so I hope to work somewhere in that field.

4
Hacking and Security / Re: Hackers toolkit chrome extension - Encoding decoding
« on: December 28, 2015, 06:38:08 pm »
I feel like this kit is not that useful... If you just wanted to do sql injection automatically why not just use sqlmap? There already BASE 64 encoders/decoders and etc for firefox and probably chrome. Also sorta don't trust this maybe it is just me but this looks sketchy.

5
General discussion / Re: Just Finished my New Build
« on: December 28, 2015, 06:23:40 pm »
Quote from: queryFrequency on December 28, 2015, 06:14:49 pm
Any raid configured on the drive? Also, you should SLI that 980 for the ultimate experience, thats what I got at the moment.


No raid configuration at the moment just using the ssd for the os and key programs and the blue for mass storage. I am used to duel booting on a 500 gb so this storage is fine for now. As to SLI I will definitely go for that in my next upgrade when I have more money. Eventually I plan on upgrading the processor (and maybe a new cooler), adding a new video card, and going for a 4k monitor. That might be a long way down the road though as I just squeaked by under budget for this build. Would love to have two 980 tis.

6
General discussion / Re: Just Finished my New Build
« on: December 28, 2015, 06:01:20 pm »
Quote from: 0E 800 on December 28, 2015, 04:19:37 pm
Looks nice. Whatchu gonna put on it OS wise?


Currently I have Windows 10 on it for all of my games, trying to decide if I am going to get some extra storage for a duel boot kinda setup. Maybe a pcie ssd and a 4 tb green or something idk.

7
General discussion / Just Finished my New Build
« on: December 28, 2015, 03:02:16 pm »
So yesterday I finished a new PC that I have been wanting to get done since forever.


Partlist:


CPU - I5 6600k
GPU - 980 ti
RAM -G.Skill Ripjaws V Series 16GB (This is one thing I am having issue with should be DDR4 2400 but it appears to run at 2133 even according to the bios, maybe a mistake in shipping but the speed of the ram does not really affect me so I am debating wether to call or not)
MOBO - Asus Z170-A ATX LGA1151 Motherboard
CPU COOLER- Hyper 212 Evo
Storage:
Samsung 850 EVO-Series 250GB 2.5" Solid State Drive
WD Blue 1 TB
PSU: 850W EVGA G2
PCIE:
Gigabyte GC-WB867D-I 802.11a/b/g/n/ac PCI-Express x1 Wi-Fi Adapter
NZXT LED strip
CASE: NZXT H440
MONITOR: BenQ GW2765HT (IPS 1440p 60hz)


So yeah those are the parts and here are some pictures:








And yes I was reading the manuals, there are two times I do that. One is building pcs the other is building Ikea furniture, equally daunting tasks.

8
Projects and Discussion / Fuzzing Chrome
« on: December 24, 2015, 11:04:23 pm »
So i just finished writing a fuzzing harness for chrome incorporating Google's address sanitizer but just realized I have no idea about how I am going to go about generating test cases. I was thinking something like pulling down a list of all html elements and css parameters then randomly assigning the parameters and then randomly filling blocks of html elements etc. I have no idea if that would work well. I would appreciate some ideas on test case generation for browsers (I did some research but found very little solid information on the topic).


ps. Merry Christmas if you celebrate it or Happy December if you don't :P

9
Scripting Languages / [Python] Omegle IP tracking script
« on: August 01, 2015, 06:30:04 pm »
This is a quick script that sniffs UDP packets looking for things that look like Omegle video stream packets then uses GeoIP to track them. You can obviously modify this to use premium GeoIP and GeoIP2 very easily I just do not own those products.

Code: (python) [Select]
from __future__ import print_function
import pcapy
import GeoIP
from impacket.ImpactDecoder import *

gi = GeoIP.open("/usr/local/share/GeoIP/GeoLiteCity.dat", GeoIP.GEOIP_STANDARD)
ips=[]
dev="";
ips.append("192.168.1.100")
ips.append("192.168.1.1")
def track(ip):
    for sr in ips:
        if ip==sr:
            return
    gir=gi.record_by_addr(ip)
    ips.append(ip)
    if gir is not None:
        print(str(gir))
        print(ip)
print("Devices:")
devices = pcapy.findalldevs()
for d in devices :
    print("\t- "+d)
dev = raw_input('Enter device name: ')
cap = pcapy.open_live(dev , 1024 , 1 , 0)
cap.setfilter('udp')

def recv_pkts(hdr, data):
    p= EthDecoder().decode(data)
    packet=str(p)
    count=0
    for item in packet.split("\n"):
        count+=1
    #print(count)
    #print(packet)
    if count==67:
        #print packet.splitlines()[1];
        if (packet.splitlines()[1])[0:5] == "IP DF":
            track((packet.splitlines()[1])[6:(packet.splitlines()[1]).index('>')-2])
        else:
            track((packet.splitlines()[1])[3:(packet.splitlines()[1]).index('>')-2])




track("1.1.1.1")
packet_limit = -1
cap.loop(packet_limit,recv_pkts)

Currently reworking a traceroute solution to get dest-1 for more reliable state codes in the US. Will add that as soon it is finished.

N.B. Seems there has been some confusion on what is necessary to run this so here is a requirement list:

Python 2.x
Pcapy: http://www.coresecurity.com/corelabs-research/open-source-tools/pcapy
Impacket: http://www.coresecurity.com/corelabs-research/open-source-tools/impacket
Python GeoIP api: https://pypi.python.org/pypi/GeoIP/
GeoIP: http://dev.maxmind.com/geoip/legacy/geolite/



10
Tutorials / Re: The Art of Doxing
« on: July 09, 2015, 05:29:34 pm »
Calling doxing an art is like calling a hitman your PR officer...

11
Scripting Languages / Re: [Python] Browser automation
« on: June 23, 2015, 05:47:18 pm »
After a timeout and/or completion of a Macro i macros automatically closes the tab; it is not necessary to kill Firefox.

12
Scripting Languages / [Python] Browser automation
« on: June 21, 2015, 02:36:12 pm »
So a friend wanted me to give him some votes in a silly poll. The problem was there were checks to make sure that the requests were coming from a browser. I did not feel like working with posts requests to try to get around this so instead I came up with this:

Code: (Python) [Select]
import os
import time
prox=open("[Path to proxy list]")
for line in prox:
    f=open("C:\\Users\\[Your Username]\\Documents\\iMacros\\Macros\\#Current.iim","w")
    f.write("VERSION BUILD=8920312 RECORDER=FX\nTAB T=1\nTAB CLOSEALLOTHERS\nCLEAR\nURL GOTO=[REDACTED]\nPROXY ADDRESS="+line+"\nFRAME F=1\nTAG POS=1 TYPE=LABEL FORM=ID:form1 ATTR=TXT:Quentin<SP>Anderson\nTAG POS=1 TYPE=INPUT:RADIO FORM=ID:form1 ATTR=ID:PollX1_rblOPT_0\nTAG POS=1 TYPE=INPUT:SUBMIT FORM=ID:form1 ATTR=ID:PollX1_btnVote")
    f.close()
    os.system('start "" "C:\\Program Files (x86)\\Mozilla Firefox\\firefox.exe" imacros://run/?m=#Current.iim')
    time.sleep(20)


First you scrape a proxy list so that you can have several different users. Then you record the action you want the users to do using imacros(in this case vote on the poll). You then edit this script slightly adding CLEAR before the action (this clears cookies just in case it is storing that you have already been there in a cookie). You also add a line with PROXY ADDRESS=. You then loop through the proxy list appending each proxy to the line PROXY ADDRESS=. You then run the macros file with imacros then make sure to give it time to process 20 is probably excessive.

I know this is pretty basic but thought it might help simplify automation for people who did not know about this. Obviously this could be taken further to register multiple users since Google Captcha does not detect this.

13
Scripting Languages / [Python] Assymetric Irc Key pass
« on: June 19, 2015, 09:38:00 pm »
Plugin made for hexchat or xchat.

Installation for Hexcha(for xchat replace every hexchat with xchat :P )t:
1. put the python file in the addons directory for hexchat (usually ~/.config/hexchat/addons/
2. Install pycrypto: https://www.dlitz.net/software/pycrypto/
3. If you are on Mac OSX you may need to compile pycrypto then drop the compiled library into the addons folder

Usage:
1. Type /invch to invite a user to a chat the syntax is /invch [nick] [key phrase for Fish] [channel to chat on]
2. User will receive a pm an should type /a [name of person you are accepting]
3. The keys will now be set talk freely
4. do /delkey [channel name] to end the chat

Code: (Python) [Select]
import sys
import hexchat
import re
from os.path import expanduser
home = expanduser("~")
sys.path.insert(0,home+"/.config/hexchat/addons/")
from Crypto.Cipher import AES
from Crypto.PublicKey import RSA
from Crypto import Random
__module_name__="rsa2fish"
__module_description__="rsa2fish"
__module_version__="1.0"
def rawblock(r):
    check=r.find(':')
    print(check)
    t=""
    i=0
    for i, x in enumerate (r):
        if x ==':':
            t+=chr(int(r[i+1:i+3],16))
    return t;

def setkey():
    pkey=RSA.generate(2048)
    return pkey

# encr=AES.new('abcdefghijklmnopqrstuvwxyzaaaaaa', AES.MODE_ECB)
# encr.block_size=16
# encr.key_size=32
# s=encr.encrypt("hi"+"XXXXXXXXXXXXXX")
#
# c=""
# for x in s:
#     c+=(str(':')+str(x.encode('hex')))
# print(c)
#
#
#
#
#  #   print(chr(int(c[check+1:check+3],16)))
# f=rawblock(c)
#
#
#
# print(f)
# print(encr.decrypt(f))
# pkey=setkey()
# print pkey.exportKey()
invlist=[]
inving=[]
password=[]
global privkey;
global key;
global m;
global chan;
m="";
chan="";
def finacc(arg1,arg2,arg3):
    list=arg2[0].split();

    for ind,x in enumerate(invlist):
        global m;
        global privkey;
        global chan
        if list[0]==x:
            if list[1].find("endofstr")==-1:
                m=m+list[1][3:]
            else:
                m=m+list[1][3:list[1].find("endofstr")-1]
                invlist.remove(invlist[ind])
                rstr=rawblock(m)
                hexchat.prnt("The command is:setkey "+chan+" "+privkey.decrypt(rstr))
                hexchat.command("setkey "+chan+" "+privkey.decrypt(rstr));
                hexchat.prnt("Your key is now "+privkey.decrypt(rstr))
                m="";
                return hexchat.EAT_ALL;

def fininv(arg1,arg2,arg3):
    global chan;
    list=arg2[0].split();
    for ind,x in enumerate(inving):
        if list[0]==x and list[1]=="ssh-rsa":
            hexchat.prnt("Public key received");
            key=RSA.importKey(list[1]+" "+list[2])
            pas=password[ind]
            stv=key.encrypt(pas,2);
            c=[""]
            c[0]="avx"
            i=0
            size=3
            for d in stv[0]:
                if size>200:
                    i=i+1
                    size=3
                    c.append("avx")
                c[i]+=(str(':')+str(d.encode('hex')))
                size=size+3
            c[i]+=":endofstr"



            for sbv in c:
                if len(sbv) > 0:
                    hexchat.command("msg "+list[0]+" "+sbv)
            password.remove(password[ind])
            inving.remove(inving[ind])
            hexchat.prnt("The command is:setkey "+chan+" "+pas)
            hexchat.command("setkey "+chan+" "+pas);
            return hexchat.EAT_ALL;
def acceptcheck(arg1,arg2,arg3):
    list=arg2[0].split();
    if list[1].find("sendkey")!=-1:
        hexchat.prnt(list[0]+" wants to chat via rsa2fish on "+ list[2] +" /a to accept!");
        global chan;
        chan=list[2];
        invlist.append(list[0])
        return hexchat.EAT_ALL;
    return
def accept(arg1,arg2,arg3):
    list=arg2[1].split();
    global privkey;
    for x in invlist:
        if x == list[0]:
            hexchat.prnt("accepting "+ x)
            pkey=setkey();
            privkey=pkey;
            p=[]
            #p.append(pkey.exportKey('OpenSSH'));
            p.append((pkey.publickey().exportKey('OpenSSH')))
            hexchat.prnt(str(len(p[0])))
            for y in p:
                hexchat.command("msg "+x+" "+y)
            hexchat.hook_print("Private Message to Dialog", finacc)

        return hexchat.EAT_ALL;
    hexchat.prnt("No user invs from "+x)
    return hexchat.EAT_ALL;




def inv(fun,args,true):
        list=args[1].split();
        global chan;
        if len(list)==3:
            hexchat.prnt("Inviting "+list[0]+" with the password "+list[1]);
            hexchat.command("msg "+list[0]+" sendkey "+ list[2]);
            inving.append(list[0]);
            password.append(list[1])
            hexchat.hook_print("Private Message to Dialog", fininv)
            chan=list[2];

        else:
            hexchat.prnt("1:Usage: /invch [user] [key phrase] [channel]")
        return hexchat.EAT_ALL;
hexchat.prnt("\002\00304rsa2fish loaded...")
hexchat.hook_print("Private Message to Dialog", acceptcheck)
hexchat.hook_command("invch",inv, help="no")
hexchat.hook_command("a",accept, help="no")



Bugs:
Currently hooks are left open stupidly :P
There is a DOS vuln cookies to those who find it ;)
Something has been going on one of my computers where it encrypts fine but for some reason it will not decrpt the other user's message, I think that might be a bug with hexchat's fish implementation (please report this if you see it so I can start to try to narrow down causes)

14
Game Hacking, Modding & Discussing / Re: [C] Aimbot CS:GO
« on: June 13, 2015, 07:47:18 pm »
As of today the executable is not detected and given that it is external it will probably stay that way for quite a long time, you can always use the dll if you worried though (the dll is slower and does not smooth aim well).

15
Game Hacking, Modding & Discussing / [C] Aimbot CS:GO
« on: June 13, 2015, 07:01:20 pm »
Figured I would drop what I am working on here. It is not nearly done yet, I have to document the source, add vision checks with bsp parsing etc but for now this is what I have:

Code: (C) [Select]
#include <windows.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <tlhelp32.h>
#include <Math.h>
#include <float.h>
#define HEAD 10
#define BODY 2
#define M_PI 3.14159265358979323846

char process[] = "csgo.exe";
char dname [] = "client.dll";
char ename [] = "engine.dll";     
HANDLE proc;//process handle
DWORD dll;//adress of the dll
DWORD playerbase = 0x00a74cdc   ;//the base adress of the local player
DWORD entitybase = 0x04a16c14;//base of the entity list
DWORD toff = 0x000000f0;//offset for the team number
DWORD coff = 0x00002410;//offset of the crosshair id
DWORD spbase;//this will be the static adressess to the player base wich will be calculated
DWORD pid;//the process id
DWORD engine;
DWORD cstate=0x005ce294;
DWORD aoff=0x00004ce0;
DWORD angoff;
DWORD bonemat=0x0A78;   
DWORD vecorigin=0x00000134;
DWORD vecoff=0x00000104;
DWORD offl=0x0000025b;
DWORD dormant=0xe9;
int rage=0;
int head=0;
int first=0;
int teams[32];
int fir=1;
int teamnum;
int factor=50;//list corresponding to the crosshair ids that will store each player's teams. This is far quicker than reading the team from that adress so this avoids missed shots.
int mpow(int base, int pow);//just a basic power function nothing special here
HANDLE getHandle(char pname[]);//gets the handle of the process
void fire();//clicks the mouse firing the gun
DWORD modBase(LPSTR mname);//gets the adress of a dll or any mod for that matter
void buildList();//builds the team list in teams[24]
void printList();
void aim(int id,float smooth);
int entry();
double getHyp(int id);
double getVec(float *src, float *dest);

int main()
{
    /*
   FILE * file = fopen("aim.txt","r");
   int s;
   char names[12][40];
   DWORD addr[11];
    for(s=0;s<12;s++)
    {
        if(s<11)
        {
        if(fscanf(file, "%s %x", &names[s], &addr[s])==EOF)
            s=12;
        }else
        {
            if(fscanf(file, "%s %d", &names[s], &factor)==EOF)
            s=12;
        }
       
         
    }
    for(s=0;s<11;s++)
    {
printf("\n%s",names[s]);
       
         
    }

    for(s=0;s<11;s++)
    {
        if(names[s]=="playerbase")
        {
            playerbase=addr[s];
            printf("%x",addr[s]);
        }
        if(names[s]=="entitybase")
            entitybase=addr[s];
        if(names[s]=="offsetteam")
            toff=addr[s];
        if(names[s]=="offsetcrosshair")
            coff=addr[s];       
        if(names[s]=="viewangles")
            aoff=addr[s];
        if(names[s]=="bonematrix")
            bonemat=addr[s];
        if(names[s]=="vecorigin")
            vecorigin=addr[s];
        if(names[s]=="vecoffsets")
            vecoff=addr[s];
        if(names[s]=="lifestate")
            offl=addr[s];
        if(names[s]=="dormant")
            dormant=addr[s];
        if(names[s]=="cstate")
            cstate=addr[s];                                                                             
    }
    printf("\n%d", factor);
    */
    while(!proc)//while proccess is null keep on trying to get that damn handle
        proc=getHandle(process);
    int pressing=mpow(2,((sizeof(short)*-1));//calculates the pressing value
    short pressed=1;//pressed value these are both for monitoring key input
    dll=modBase(dname);//gets the dll adress
    engine=modBase(ename);
    DWORD ptemp;
    ReadProcessMemory(proc, (LPCVOID)(engine+cstate),&ptemp,sizeof(ptemp),NULL);
    angoff=ptemp+aoff;
   
    ReadProcessMemory(proc, (LPCVOID)(dll+playerbase),&ptemp,sizeof(ptemp),NULL);//stores the result of dll+playerbase into ptemp getting the final adress
   
    spbase=ptemp;
    buildList();

    ReadProcessMemory(proc, (LPCVOID)(spbase+toff),&teamnum,sizeof(teamnum),NULL);//gets the team of the local player
    teamnum=5-teamnum;//flips the team to enemy team 2 to 3 and 3 to 2
    int running = 1;//boolean saying running

    int persistant=0;
    float smooth=0.0f;
    while(running)
    {
        short i=GetAsyncKeyState(VK_NUMPAD1);
        if((i&pressing||i&pressed))//if numpad 1 was pressed or is currently being pressed
            running=0;//stop the program

        i=GetAsyncKeyState(VK_NUMPAD4);
        if((i&pressing||i&pressed))//if numpad 4 was pressed or is currently being pressed
            buildList();//rebuild the list ie. player leaves team changes etc.
            i=GetAsyncKeyState(VK_NUMPAD2);
        if((i&pressing||i&pressed))//if numpad 2 was pressed or is currently being pressed
            {
                if(!rage)
                {

                    int i;
                    for(i=0;i<32;i++)
                    {
               
                        teams[i]=0;


                    }
 
           
                rage=1;
             
                for(i=0;i<32;i++)
                {
                    printf("\n%d:%d",i,teams[i]);
                }
            }
        }
   
            i=GetAsyncKeyState(VK_NUMPAD3);
            if((i&pressing||i&pressed))//if numpad 3 was pressed or is currently being pressed
            {
                if(rage)
                {
                    int i;
                    for(i=0;i<32;i++)
                    {
               
                        teams[i]=0;


                    }
                }
                rage=0;
            }
        i=GetAsyncKeyState(VK_NUMPAD5);
        if((i&pressing||i&pressed))//if numpad 3 was pressed or is currently being pressed
            fir=0;;
                i=GetAsyncKeyState(VK_NUMPAD7);
        if((i&pressing||i&pressed))//if numpad 4 was pressed or is currently being pressed
            head=0;//rebuild the list ie. player leaves team changes etc.
                        i=GetAsyncKeyState(VK_NUMPAD8);
        if((i&pressing||i&pressed))//if numpad 4 was pressed or is currently being pressed
            head=2;//rebuild the list ie. player leaves team changes etc.
                i=GetAsyncKeyState(VK_NUMPAD9);
        if((i&pressing||i&pressed))//if numpad 4 was pressed or is currently being pressed
            head=10;//rebuild the list ie. player leaves team changes etc.
                        i=GetAsyncKeyState(VK_NUMPAD6);
        if((i&pressing||i&pressed))//if numpad 4 was pressed or is currently being pressed
            fir=1;//rebuild the list ie. player leaves team changes etc.
        i=GetAsyncKeyState(VK_INSERT);
        if((i&pressing||i&pressed))//if numpad 4 was pressed or is currently being pressed
            {
            persistant=0;//rebuild the list ie. player leaves team changes etc.
            smooth=0;
            }
        i=GetAsyncKeyState(VK_DELETE);
        if((i&pressing||i&pressed))//if numpad 4 was pressed or is currently being pressed
            {
            persistant=1;//rebuild the list ie. player leaves team changes etc.
            smooth=factor;
            }
                       
        if(!rage)
        {
        int CrosshairID;
        ReadProcessMemory(proc, (LPCVOID)(coff+spbase),&CrosshairID,sizeof(CrosshairID),NULL);//gets the id of the entity the player is aiming at
        if(CrosshairID>0&&CrosshairID<25&&running)//if the id is within the proper range
        {
            if(teams[CrosshairID-1])//and if the team of the entity is an enemy
            {
                if(teams[CrosshairID-1]==teamnum)
                {
                if(!persistant)
                {
                    if(head)
                        aim(CrosshairID-1,smooth);
                    if(fir)
                        fire();//shoot
                        printf("\n%d\n",CrosshairID-1);
                       
                   
                }else
                {
                    if(head)
                    {
                        int ai=1;
                        DWORD e;
                        ReadProcessMemory(proc, (LPCVOID)(dll+entitybase+((CrosshairID-1)*0x10)),&e,sizeof(e),NULL);
                        while(ai)
                        {
                            aim(CrosshairID-1,smooth);

                            byte life;
                            ReadProcessMemory(proc, (LPCVOID)(e+offl),&life,sizeof(life),NULL);
                            ai=(life==0);
                                 i=GetAsyncKeyState(VK_SHIFT);
        if((i&pressing||i&pressed))//if numpad 4 was pressed or is currently being pressed
            ai=0;//rebuild the list ie. player leaves team changes etc.

                        }
                    }
                }


                }
                 
            }
            else
            {
                printf("%d",CrosshairID);
                int team;
                        DWORD ptemp;
            ReadProcessMemory(proc, (LPCVOID)(dll+entitybase+((CrosshairID-1)*0x10)),&ptemp,sizeof(ptemp),NULL);//get the base of the current entity
           
            ReadProcessMemory(proc, (LPCVOID)(ptemp+toff),&team,sizeof(team),NULL);//get the entity's team
                teams[CrosshairID-1]=team;
            }
        }
        }else
        {
            int j;
            int min=0;
            double mn=0;
            int f=0;

            for(j=0;j<32;j++)
            {

                DWORD ptemp;
                ReadProcessMemory(proc, (LPCVOID)(dll+entitybase+((j)*0x10)),&ptemp,sizeof(ptemp),NULL);//get the base of the current entity
                if(ptemp)
                {
                int team;
                ReadProcessMemory(proc, (LPCVOID)(ptemp+toff),&team,sizeof(team),NULL);//get the entity's team
                unsigned int dorm;
                ReadProcessMemory(proc, (LPCVOID)(ptemp+dormant),&dorm,sizeof(dorm),NULL);
                if((team==2||team==3)&&!dorm)
                {
                    if(team==teamnum)
                    {
                   
                    byte life;
                    ReadProcessMemory(proc, (LPCVOID)(ptemp+offl),&life,sizeof(life),NULL);
                    if(life==0)
                    {
                        double dyst=getHyp(j);
                        if(!f)
                        {
                            min=j;
                            mn=dyst;
                            f=1;
                        }else
                        {
                            if(dyst<mn&&mn!=0)
                            {
                                mn=dyst;
                                min=j;
                            }
                        }
                    }
                }
                }
                   
                }

   
            }
                            DWORD b;
                ReadProcessMemory(proc, (LPCVOID)(dll+entitybase+((min)*0x10)),&b,sizeof(b),NULL);
                byte life;
                ReadProcessMemory(proc, (LPCVOID)(b+offl),&life,sizeof(life),NULL);
            if(mn>0)
                aim(min,smooth);
            int CrosshairID;
        /*ReadProcessMemory(proc, (LPCVOID)(coff+spbase),&CrosshairID,sizeof(CrosshairID),NULL);
                            int team;
                        DWORD ptemp;
            ReadProcessMemory(proc, (LPCVOID)(dll+entitybase+((CrosshairID-1)*0x10)),&ptemp,sizeof(ptemp),NULL);//get the base of the current entity
           
            ReadProcessMemory(proc, (LPCVOID)(ptemp+toff),&team,sizeof(team),NULL);//get the entity's team
             if(team==teamnum)
                fire();*/
        }

        }     


    return 0;

}
    void getAngle( float *src, float *dst, float *angles )
    {
       float vector[]={src[0]-dst[0],src[1]-dst[1],src[2]-dst[2]};
       float hyp=sqrt(vector[0]*vector[0]+vector[1]*vector[1]+vector[2]*vector[2]);
       float pitch=asinf(vector[2]/hyp)*(180/M_PI);
       float yaw=atanf(vector[1]/vector[0])*(180/M_PI);

       angles[0]=pitch;
       angles[1]=yaw;
       angles[2]=0.0f;
       if(vector[0]>=0.0)
        angles[1]+=180.0f;

    }
    double getVec( float *src, float *dst)
    {
        double delta[3] = { (src[0]-dst[0]), (src[1]-dst[1]), (src[2]-dst[2]) };
        double hyp = sqrt(delta[0]*delta[0] + delta[1]*delta[1]);
        return hyp;
    }
HANDLE getHandle(char pname[])
{
    DWORD dwPid=0;//the pid
    HANDLE proc, hProc;//handles
    PROCESSENTRY32 pe32 = {sizeof(PROCESSENTRY32)};//creats a pe32 entry
 
        while(!dwPid)//while we dont have a pid
        {
 
        printf("Searching for csgo process...\n");
        printf("Make sure the game is running!\n");
        hProc=CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS,0);
 
        if(Process32First(hProc, &pe32))//place process in pe32
        {
            do
            {
               
                if(!strcmp(pe32.szExeFile,pname))//compare pe32 pname to the pname
                {
                    dwPid=pe32.th32ProcessID;//set pid to the pid of the process if the process names matched
                    break;
                }
            }while(Process32Next(hProc,&pe32));//move to next process
 
        }
        sleep(10);
 
    }
    pid=dwPid;
    proc=OpenProcess (PROCESS_ALL_ACCESS,FALSE,dwPid);//open process Handle
 
 
    return proc;//return the Handle
}
double getHyp(int id)
{
        int i;
    float porg[3];
    for(i=0;i<3;i++)
    {
        float t;
       
        ReadProcessMemory(proc, (LPCVOID)(spbase+vecorigin+(i*sizeof(float))),&t,sizeof(float),NULL);
       
        porg[i]=t;
    }


        float r;
        ReadProcessMemory(proc, (LPCVOID)(spbase+(vecoff+(2*sizeof(float)))),&r,sizeof(float),NULL);
        porg[2]=porg[2]+r;
   
        DWORD enem;
        ReadProcessMemory(proc, (LPCVOID)(dll+entitybase+(id*0x10)),&enem,sizeof(enem),NULL);
        //printf("\nAddress of enem %x", enem);
    float eorg[3];
    /*for(i=0;i<3;i++)
    {
        float t;
        printf("\n\nAddr%d:0x%x",i,(enem));//+0x00000134+(i*0x4)));
        ReadProcessMemory(proc, (LPCVOID)(enem+0x00000134+(i*0x4)),&t,4,NULL);
        printf(":%f", t);
        eorg[i]=t;
    }*/ DWORD mat;
        ReadProcessMemory(proc, (LPCVOID)(enem+bonemat),&mat,sizeof(mat),NULL);
        float t;
        ReadProcessMemory(proc, (LPCVOID)((mat)+(0x30*head)+0x0C),&t,sizeof(float),NULL);
        eorg[0]=t;
        ReadProcessMemory(proc, (LPCVOID)((mat)+(0x30*head)+0x1C),&t,sizeof(float),NULL);
        eorg[1]=t;
        ReadProcessMemory(proc, (LPCVOID)((mat)+(0x30*head)+0x2C),&t,sizeof(float),NULL);
        eorg[2]=t;
        return getVec(porg,eorg);
}
 void aim(int id,float smooth)
 {
    int i;
    float porg[3];
    for(i=0;i<3;i++)
    {
        float t;
       
        ReadProcessMemory(proc, (LPCVOID)(spbase+vecorigin+(i*sizeof(float))),&t,sizeof(float),NULL);
       
        porg[i]=t;
    }


        float r;
        ReadProcessMemory(proc, (LPCVOID)(spbase+(vecoff+(2*sizeof(float)))),&r,sizeof(float),NULL);
        porg[2]=porg[2]+r;
   
        DWORD enem;
        ReadProcessMemory(proc, (LPCVOID)(dll+entitybase+(id*0x10)),&enem,sizeof(enem),NULL);
        //printf("\nAddress of enem %x", enem);
    float eorg[3];
    /*for(i=0;i<3;i++)
    {
        float t;
        printf("\n\nAddr%d:0x%x",i,(enem));//+0x00000134+(i*0x4)));
        ReadProcessMemory(proc, (LPCVOID)(enem+0x00000134+(i*0x4)),&t,4,NULL);
        printf(":%f", t);
        eorg[i]=t;
    }*/ DWORD mat;
        ReadProcessMemory(proc, (LPCVOID)(enem+bonemat),&mat,sizeof(mat),NULL);
        float t;
        ReadProcessMemory(proc, (LPCVOID)((mat)+(0x30*head)+0x0C),&t,sizeof(float),NULL);
        eorg[0]=t;
        ReadProcessMemory(proc, (LPCVOID)((mat)+(0x30*head)+0x1C),&t,sizeof(float),NULL);
        eorg[1]=t;
        ReadProcessMemory(proc, (LPCVOID)((mat)+(0x30*head)+0x2C),&t,sizeof(float),NULL);
        eorg[2]=t;

    float ang[3];

    getAngle(porg,eorg,ang);
    //printf("\n%f:%f",ang[0],ang[1]);
    //printf("Adress ang off %x", angoff);
    if(smooth)
    {
        byte a1[sizeof(float)*3];
        memcpy(&a1,ang,sizeof(float)*3);
        float an1;
        float an2;
        ReadProcessMemory(proc, (LPCVOID)(angoff),&an1,sizeof(float),NULL);
        ReadProcessMemory(proc, (LPCVOID)(angoff+sizeof(float)),&an2,sizeof(float),NULL);
        float temp[2];
        temp[0]=(float)(an1+((ang[0]-an1)/smooth));
        temp[1]=(float)(an2+((ang[1]-an2)/smooth));
        if(temp[0]<=FLT_MAX&&temp[0]>=FLT_MIN)
            ang[0]=temp[0];
        if(temp[1]<=FLT_MAX&&temp[1]>=FLT_MIN)
            ang[1]=temp[1];
       

    }
    printf("\nAng1=%f",ang[0]);
    printf("\nAng1=%f",ang[1]);
        byte a1[sizeof(float)*3];
    memcpy(&a1,ang,sizeof(float)*3);
   WriteProcessMemory(proc,(LPVOID)(angoff),a1,sizeof(float)*3,NULL);
            if(!smooth)
            {
                if(fir)
                {
                int CrosshairID;
                ReadProcessMemory(proc, (LPCVOID)(coff+spbase),&CrosshairID,sizeof(CrosshairID),NULL);//gets the id of the entity the player is aiming at
                if(CrosshairID>0&&CrosshairID<25)//if the id is within the proper range
                {
                                    int ts;
                                    DWORD shoot;
                                    ReadProcessMemory(proc, (LPCVOID)(dll+entitybase+((CrosshairID-1)*0x10)),&shoot,sizeof(shoot),NULL);//get the base of the current entity
           
                                 ReadProcessMemory(proc, (LPCVOID)(shoot+toff),&ts,sizeof(ts),NULL);//get the entity's team
                                 if(ts==teamnum)
                                 {
                                    fire();
                                 }
                }
                }
            }
   


 }
 void fire()
 {
            mouse_event( MOUSEEVENTF_LEFTDOWN, 0, 0, 0, 0 );
            Sleep(1);
            mouse_event( MOUSEEVENTF_LEFTUP, 0, 0, 0, 0 );
 }



void buildList()
{
    int i;
    for(i=0;i<32;i++)//loop through the entity list up to 24 this is generally the max player limit in cs go change this to something larger if you are going to play on 32 people servers etc
    {

        /*
        DWORD ptemp;
        ReadProcessMemory(proc, (LPCVOID)(dll+entitybase+(i*0x10)),&ptemp,sizeof(ptemp),NULL);//get the base of the current entity
        int t;
        ReadProcessMemory(proc, (LPCVOID)(ptemp+toff),&t,sizeof(t),NULL);//get the entity's team
        printf("%d\n", t);
        if(t==3||t==2)//if the id matches the teamnumbers in cs go
        teams[i]=t; //set the entity's team to that
        else
            teams[i]=-1;//else set it to -1 cause we definetely do not want to shoot at it*/
            teams[i]=0;
    }
}

DWORD modBase(LPSTR mname)
{
    HANDLE hModule = CreateToolhelp32Snapshot(TH32CS_SNAPMODULE, pid);//create a Handle for a module using the pid
    MODULEENTRY32 mEntry;
    mEntry.dwSize = sizeof(mEntry);
 
 
    do
        if (!strcmp(mEntry.szModule, mname))//if the module == mname
        {
        CloseHandle(hModule); //close the module we have selected
        return (DWORD)mEntry.modBaseAddr;//return the adress of the one we found
        }
    while (Module32Next(hModule, &mEntry));
    return 0;
}

//do i need to explain this
int mpow(int base, int pow)
{
    int i=0;
    int sum=1;
    for(i=0;i<pow;i++)
    {
        sum=sum*base;
    }
    return sum;
}

With this I sacrificed some usability for speed so any time you change teams or there is team change etc you have to restart the hack to get the new player ids etc...

So basically how you use it:
Launch once in game and all players are in

Then you need a numpad:

To control aiming:
7-No aim
8-Aim for body
9-Aim for head

Control rage (This will aim at people without you first pointing to them) hack:
2-On
3-Off

Triggerbot (shoots if your crosshair is on player does not work with smooth aim currently):
6-On
5-Off

Smooth Aim:
Ins-On
Del-Off
Shift-Unlock from target

By the way the commented out stuff is for a config file to change offsets and the smoothing factor.
Notes:

for now if you want to change the smoothing factor change the variable factor on line 38 (50 is not very noticeable bump it to maybe 100)

I also attached a C file that can be compiled as a DLL for injection into a benign program to try to hide from VAC currently the executable is not detected though.

For how the math works check this out: http://www.unknowncheats.me/forum/counterstrike-global-offensive/137492-math-behind-hack-1-coding-better-aimbot-stop-using-calcangle.html

Pages: [1] 2